If you haven’t heard the news yet, EtherDelta was subject to a phishing attack on its DNS server yesterday. A hacker compromised the EtherDelta website, supplanting it with a copycat version of the popular Ethereum exchange. When the dust settled, the culprit stole away with 305 ETH, valued at over $244,000, and bag-full of ERC20 tokens.
This makes Ether Delta the latest to join an infirmary of exchanges plagued by hacking attacks in 2017. Earlier in the year, Bithumb lost hundreds of millions of won, and after recovering from an attack in April, Youbit had to terminate operations after losing 17% of its funds in a hack earlier this week.
Unlike Youbit, EtherDelta managed to scrape by relatively unscathed in its own hacking run-in. Users have decentralization and smart contracts to thank for that.
Typical exchanges (Bithumb, Bittrex, Binance, and the like) are centralized, trusted, and operate much like a bank. When you use one of these services, you trust the exchange to manage the private keys of your accounts for you, and assets are purchased and distributed on an IOU basis through the exchange’s reserve. The exchange holds all funds for its customers until they want to withdraw them from the exchange, at which time the exchange relinquishes the private keys to its users and debits them with the corresponding account balance.
EtherDelta, on the other hand, is trustless. Everything on the exchange is peer to peer, and EtherDelta itself does not manage user funds–it only provides a platform to facilitate trading. As a result, users are completely in charge of their own keys. They import them onto the exchange either by inputting the key manually or syncing EtherDelta with a Ledger Nano S or Meta Mask browser wallet. Once uploaded, users manage their keys using Ethereum-powered smart contracts.
These smart contracts and EtherDelta’s trustless decentralization are the reason the hacker had to go to the lengths he did to pull off the heist. If the culprit went after, say, Bittrex, s/he would only need to tap into the exchange’s hot wallet reserve to nab individual keys. With EtherDelta, there is no reserve, so to access private keys, the hacker had to use a phishing scam to trick users into exposing them. Once a user input private keys onto the fake website, they handed over what the hacker couldn’t have accessed otherwise.
This is why any funds being held on the exchange’s smart contracts went untouched. It’s also why funds managed with a Ledger Nano S or Meta Mask wallet, which hold your private keys for you, would have been safe at the time of the attack. The hacker would have only been able to steal keys that he could key log from manual inputs on the malicious site. In redirecting website traffic, the hacker only hijacked EtherDelta’s domain name, not the exchange itself or its smart contracts.
EtherDelta can’t chalk this attack up as a win, but had this been a conventional exchange, the losses would have been much more substantial. Still, even with the protection of decentralization and smart contracts, security measures must be taken to mitigate the risk of phishing attacks like the one we just witnessed. It’s also up to users to remain vigilant when trading to spot any abnormalities a fake website may present when compared to an exchange’s typical layout.
Featured image from Shutterstock.